diff --git a/Kconfig b/Kconfig
index d976b55e2..b42292acc 100644
--- a/Kconfig
+++ b/Kconfig
@@ -149,6 +149,15 @@ config OTP_PROVISIONING
 	  WARNING: This uses the dummy keys by default. Do not use these keys
 	  in production, they are for demonstration purposes only.
 
+config RPMB_SETUP
+	bool "OPTEE RPMB setup for OTP key write"
+	depends on IMAGE_BOOT_PG2 && !SECURE_BOOT
+	help
+	   Enable one-time pairing between processor and secure storage
+	   (RPMB on eMMC). Do not sign and distribute this version. Run it
+	   only in a secure environment on the target device, then replace it
+	   with signed production firmware and enable secure boot.
+
 config KAS_INCLUDE_SECURE_BOOT
 	string
 	default "kas/opt/secure-boot.yml"
@@ -164,6 +173,11 @@ config KAS_INCLUDE_OTP_PROVISIONING
 	default "kas/opt/otpcmd/key-switch-2to3.yml" if OTP_PROVISIONING_KEY_SWITCHING_2TO3
 	depends on OTP_PROVISIONING
 
+config KAS_INCLUDE_RPMB_SETUP
+	string
+	default "kas/opt/rpmb-setup.yml"
+	depends on RPMB_SETUP
+
 comment "Build options"
 
 config SDK
diff --git a/kas/opt/rpmb-setup.yml b/kas/opt/rpmb-setup.yml
new file mode 100644
index 000000000..d52977938
--- /dev/null
+++ b/kas/opt/rpmb-setup.yml
@@ -0,0 +1,16 @@
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+#  Ivan Mikhaylov <ivan.mikhaylov@siemens.com>
+#
+# This file is subject to the terms and conditions of the MIT License.  See
+# COPYING.MIT file in the top-level directory.
+#
+
+header:
+  version: 10
+
+local_conf_header:
+  optee-os-iot2050_override: |
+    OVERRIDES .= ":rpmb-setup"
diff --git a/recipes-bsp/optee-os/optee-os-iot2050_3.16.0.bb b/recipes-bsp/optee-os/optee-os-iot2050_3.18.0.bb
similarity index 54%
rename from recipes-bsp/optee-os/optee-os-iot2050_3.16.0.bb
rename to recipes-bsp/optee-os/optee-os-iot2050_3.18.0.bb
index dc56f7b86..8cf69f5f9 100644
--- a/recipes-bsp/optee-os/optee-os-iot2050_3.16.0.bb
+++ b/recipes-bsp/optee-os/optee-os-iot2050_3.18.0.bb
@@ -11,7 +11,7 @@
 require recipes-bsp/optee-os/optee-os-custom.inc
 
 SRC_URI += "https://github.com/OP-TEE/optee_os/archive/${PV}.tar.gz"
-SRC_URI[sha256sum] = "ebc8e18ad2039ee97c34f74a7546de9119e26f04c368b6c7fd0c55f93d33d2d6"
+SRC_URI[sha256sum] = "bdd309697745ec4406951652094b50d9adb06c3612f01bd8a3d72682ec8e03e8"
 
 S = "${WORKDIR}/optee_os-${PV}"
 
@@ -22,7 +22,18 @@ OPTEE_NAME = "iot2050"
 OPTEE_PLATFORM = "k3-am65x"
 OPTEE_EXTRA_BUILDARGS = " \
     CFG_ARM64_core=y CFG_TEE_CORE_LOG_LEVEL=2 CFG_USER_TA_TARGETS=ta_arm64 \
-    CFG_CONSOLE_UART=1"
+    CFG_CONSOLE_UART=1 CFG_RPMB_FS=y CFG_RPMB_FS_DEV_ID=1 CFG_CORE_DYN_SHM=y \
+    CFG_IN_TREE_EARLY_TAS=avb/023f8f1a-292a-432b-8fc4-de8471358067"
+
+OPTEE_EXTRA_BUILDARGS_append_rpmb-setup = " CFG_RPMB_WRITE_KEY=y"
+
+python do_patch_prepend() {
+    import re
+
+    overrides = d.getVar('OVERRIDES')
+    if re.search("rpmb-setup", overrides) and re.search("secureboot", overrides):
+        bb.fatal("Not possible to use Secure Boot and RPMB setup for OPTEE")
+}
 
 dpkg_runbuild_prepend() {
     export TEE_IMPL_VERSION=${PV}